php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79760 Potential use after free if memory limit hit during GC
Submitted: 2020-06-30 10:48 UTC Modified: -
From: nikic@php.net Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0Git-2020-06-30 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
21 + 33 = ?
Subscribe to this entry?

 
 [2020-06-30 10:48 UTC] nikic@php.net 
Description:
------------
If a get_gc handler triggers the memory limit after the GC has decremented refcounts, we may end up freeing objects early.

For example, running Laravel tests on master with default memory limit results in:

php: /home/nikic/php/php-src-asan/Zend/zend_types.h:1162: zend_gc_delref: Assertion `p->refcount > 0' failed.

with the following backtrace fragment from the _zend_bailout:

#15 0x0000555556c5b818 in zend_std_get_properties (zobj=0x7fffe7992c08)
    at /home/nikic/php/php-src-asan/Zend/zend_object_handlers.c:110
#16 0x0000555556358910 in reflection_get_gc (obj=0x7fffe7992c08, gc_data=0x7fffffff8bd0, 
    gc_data_count=0x7fffffff8b80)
    at /home/nikic/php/php-src-asan/ext/reflection/php_reflection.c:275
#17 0x0000555556c1f296 in gc_mark_grey (ref=0x7fffe7992c08, stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:827
#18 0x0000555556c20335 in gc_mark_roots (stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:979
#19 0x0000555556c23c23 in zend_gc_collect_cycles ()
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:1464

Not sure how to fix this.

Patches

Pull Requests
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Mar 15 18:01:28 2025 UTC